ZKP8.1 Polynomial-IOP and Polynomial Commitment Schemes

ZKP学习笔记

ZK-Learning MOOC课程笔记

Lecture 8: FRI-based Polynomial Commitments and Fiat-Shamir (Justin Thaler)

8.1 Polynomial-IOP and Polynomial Commitment Schemes

• Recall: build an efficient SNARK
  

• Recall: Polynomial-IOP

  • P’s first message in the protocol is a polynomial h.
  • V does not learn h in full.
    • The description size of h is as large as the circuit
  • Rather, V is permitted to evaluate h at one point.
  • After that, P and V execute a standard interactive proof.

• Recall: Polynomial Commitment Scheme

  • High-level idea:
    • P binds itself to a polynomial h by sending a short string Com(h)
    • V can choose x and ask P to evaluate h(x)
    • P sends y, the purported evaluation, plus a proof $\pi$ that y is consistent with Com(h) and x.
  • Goals:
    • P cannot produce a convincing proof for an incorrect evaluation.
    • Com(h) and $\pi$ are short and easy to generate; $\pi$ is easy to check.

• Recall: Three classes of Polynomial IOPs

  • Based on interactive proofs (IPs)
  • Based on multi-prover interactive proofs (MIPs)
  • Based on constant-round polynomial IOPs
    • Examples: Marlin, PlonK.

• Recall: Three classes of Polynomial commitments

  • Based on pairings + trusted setup (not transparent nor post-quantum)
    • e.g., KZG10
    • Unique property: constant sized evaluation proofs
  • Based on discrete logarithm (transparent, not post-quantum)
    • Examples: IPA/Bulletproofs, Hyrax, Dory
  • Based on IOPs + hashing (transparent and post-quantum)
    • e.g., FRI, Ligero, Brakedown, Orion
  • Note:
    • Classes 1. and 2. are homomorphic.
      • Leads to efficient batching/amortization of P and V costs (e.g., when proving knowledge of several different witnesses).
    • The three classes are listed in an increasing verification cost.

• Highlights of SNARK Taxonomy

  • Transparent SNARKs
    • [Any polynomial IOP] + IPA/Bulletproofs polynomial commitment.
      • Ex: Halo2-ZCash
      • Pros: Shortest proofs among transparent SNARKs
      • Cons: Slow V (linear time)
    • [Any polynomial IOP] + FRI polynomial commitment.
      • Ex: STARKs, Fractal, Aurora, Virgo, Ligero++
      • Pros:
        • Shortest proofs amongst plausibly post-quantum SNARKs.
        • More flexibility for what field you work over
      • Cons: Proofs are large (100s of KBs depending on security)
    • MIPs and IPs + [fast-prover polynomial commitments].
      • Ex: Spartan, Brakedown, Orion, Orion+(HyperPlonk)
      • Pros: Fastest P in the literature, plausibly post-quantum + transparent if polynomial commitment is.
      • Cons: Bigger proofs than 1. and 2. above
  • Non-transparent SNARKS
    • Linear-PCP based:
      • Ex: Groth16
      • Pros: Shortest proofs (3 group elements), fastest V.
      • Cons: Circuit-specific trusted setup, slow and space-intensive P, not postquantum
    • Constant-round polynomial IOP + KZG polynomial commitment:
      • Ex: Marlin-KZG, PlonK-KZG
      • Pros: Universal trusted setup.
      • Cons: Proofs are ~4x-6x larger than Groth16, P is slower than Groth16, also not post-quantum.
        • Counterpoint for P: can use more flexible intermediate representations than circuits and R1CS.